Security Module 3 Introduction

00:02

Hi, who will come back to the company I d Fundamentals class on This is domain three. Security

00:10

says you might guess from the title domain. Three focuses on security,

00:14

and here in the first module, we look at defining some basic security concepts and terminology.

00:22

This module will discuss basic security principles

00:27

that will have a look at my wife.

00:29

Malware refers to any malicious software.

00:32

Viruses are examples of malware, but there are other types as well.

00:37

Then we'll discuss social engineering.

00:40

Social engineering refers to techniques to get users to give away sensitive information such of their passwords.

00:47

But even giving away information about the internal structure of a company WiFi passwords, veins of managers, etcetera can be dangerous.

00:56

Well, look at how malicious users known as hackers

01:00

attempt to figure out or steal user and other passwords.

01:03

And finally, we'll take a look at the importance or physical security.

01:10

But first, let's discuss some basic security principles.

01:17

So why worry about security?

01:21

While the reality is the Internet is a scary place.

01:25

There are thousands or maybe millions of hackers out there

01:30

trying to break into your network and attack your computing devices.

01:34

Now, why do they do this well, in many cases for financial gain,

01:38

maybe they can steal

01:40

corporate information that they confined useful. Maybe Dickens steal personal information

01:47

that they can use for identity theft.

01:51

But there could be other reasons.

01:52

Could be political reasons that could be

01:55

digital vandalism, simply going and defacing your website, for example.

02:00

And of course, some people do it just because they can or to test their own abilities. So do it for fun.

02:07

Bear in mind that these Attackers can be external to your company

02:12

or they can be internal users.

02:16

So I'm going to start off by making you an offer.

02:20

I can guarantee you 100% full proof, unbreakable security for your computer.

02:29

You wanna hire me?

02:30

I don't charge much $1000 an hour,

02:34

but, you know, making your system 100% secure. That's probably worth while.

02:38

If you did hire me, here's what I would do.

02:45

I would

02:46

unplug your computer from the network, unplug it from the maids

02:51

in case it in concrete

02:52

and for good measure, drop it into a volcano.

02:55

There you go. 100% secure.

02:59

Nobody has any access to the data that might be on that computer, including you, of course,

03:05

but the functionality, the usability of that system is now zero.

03:09

In other words, there's a trade off almost always between making things more secure or making them easy to use.

03:23

So I t staff have to keep their systems and data both secure

03:29

but also easily accessible to those who should have access to it and need to have access to it.

03:37

And therefore, your security policies should not be so difficult. Our owner us

03:42

that users start looking for ways around it.

03:45

For example, consider a very strict password policy that says

03:49

Use those passwords have to be complex, which means

03:53

they have to be a mixture of lower case, an uppercase and numbers and normal alphanumeric characters. And they must be long, let's say, 15 characters,

04:00

and they have to change them every 30 days.

04:03

So as a result, you users have to come up with difficult to remember complex passwords that they have to change every 30 days and then try and remember what the current password is

04:14

Now. The way the user gets around something like that is they

04:17

might write down their password.

04:20

Maybe they'll put it somewhere where no one will even think of looking like under their keyboard or under their mouse mat

04:26

or, worse on alert, yet so yellow sticky, stuck to their monitor.

04:30

So we don't want to create policies like that that users then stop

04:35

resent having to follow and start trying to find ways of getting around it.

04:43

So one security concept that is implemented a most networks is the idea of defence in depth.

04:49

In other words, security. SH Security should be implemented in layers like an onion. As you peel away each layer, there's another layer behind it,

04:59

and each layer off security should be self sufficient, and it should assume that all the other layers have failed.

05:05

So, for example, we can implement security at the level of the network

05:11

to keep out external Attackers.

05:14

Then what about internal users?

05:16

We can have security at the host level.

05:19

So

05:21

whereas network administrators manage the network security at the host level,

05:27

we're talking about any computing device. So maybe your own work station,

05:31

Um,

05:33

and so we were put in layers of security at the host in case either the network security is breached and malicious outside users get into the network,

05:45

or we might get attacked by internal users within the network

05:49

and then within the host. You could implement security within applications, so there are many times steps you can take within an application, such as Microsoft Office, to make it more secure.

06:01

And then you can put security around the data that you create. So when you create documents, for example, we can set permissions on them to control access. We can encrypt them to provide another layer of security,

06:19

so defense in depth amounts to this at the perimeter of the network.

06:25

Typically, what network administrators would do is deploy a network firewall.

06:30

The firewall is designed to keep externally people on the Internet from getting into your network

06:36

on a small office or home network.

06:40

That work is performed by your home router,

06:43

which has firewall functionality built into it.

06:47

You can install intrusion detection systems now. That's typically done because it's a fairly complex types of systems is typically done in large corporate networks.

06:59

An intrusion detection system monitors network traffic within your internal network,

07:03

and the idea is that if

07:06

your security firewall security is breached,

07:11

somebody manages to get into your network.

07:13

The intrusion detection system picks that up and alerts administrators.

07:18

You can also at the perimeter, scan incoming emails so you can get appliances made by companies like Barrack Oudeh

07:28

on what they do. A scan, incoming emails

07:30

and one of the things they do is block spam. That's lots of unsolicited e mails that are flooding across the Internet these days,

07:38

but also they can block militias emails. They might look at the attachments on an email or if the email contains links to malicious websites and so on.

07:50

But the focus for this particular course is not on network security, but on host security.

07:57

So the level of the host that is your own computer, your desktop, your laptop, your smartphone, your tablet. You should make sure you have anti malware software installed, and that's more commonly known as anti virus

08:09

as well as a host firewall.

08:11

Now, firewalls are devices that or software that monitors network traffic.

08:18

So the network firewall, for example, is monitoring all network traffic flowing in and out of your network to external networks like the Internet.

08:26

Ah, Host Firewall, on the other hand, is monitoring all the network traffic flowing in and out of your machine.

08:33

So, for example, if there is a malicious internal user within the network,

08:39

their attempts to connect to your system could be thwarted. If you have a host firewall in place,

08:45

the other thing we have to do is make sure we apply the latest security patches.

08:50

Vendors like Microsoft regularly released patches, as do manufacturers of applications, and even the manufacturer of the computer may release firmware updates.

09:01

It's important that you keep your system's updated because the latest security security threats

09:07

could be prevented

09:09

by the latest patches that are available. But if you fail to install them, you're unprotected against those new types of attacks,

09:16

and the other thing you can do is remove all unnecessary features and applications.

09:22

Every unnecessary feature, every unnecessary application and service that you have running

09:28

represents another potential avenue of attack,

09:31

so removing everything that's unnecessary is sometimes referred to as hardening the system.

09:39

You should control which applications are installed and ensure that you only get applications from reputable sources.

09:46

On that, you keep them updated with the latest patches,

09:50

so within a corporate network, administrators consent policies that prevent anything except approved application from running on the computers

10:00

at home. It's really up to you to be vigilant

10:03

when you download stuff off the Internet, make sure it's from a reputable Web site.

10:09

As far as securing the data,

10:11

that is the documents you create,

10:15

Windows allows you and other operating systems like Linux is and OSX allow you to set permissions

10:22

and permissions control access to particular parts and folders. So, for example, I can say this user has read permissions, and that user has read and write permissions and so on.

10:33

But permissions could be circumvented so you can add even more

10:39

layers of security by encrypting your data.

10:41

And that way, even if someone manages to turn the permissions off or change them,

10:48

they would still have trouble. Actually, reading the contents of your data